Can I determine if the SolarWinds TFTP server dated April 2019 is compromised?

security tftp

SolarWinds has been in the news due to the hack of their servers. It is unclear how far back the compromise goes. The only product I have used from them is their free TFTP server. Has the "fingerprint" of the compromise been documented to allow determination if a specific download is affected? Are the compromised files now detectable with commercial virus/malware scanners?


Solution 1:

The SolarWinds cyberattack was a supply chain attack. The nation-state threat actor(s) gained access to the SolarWinds Orion build system and added a backdoor to a legitimate Orion DLL, namely SolarWinds.Orion.Core.BusinessLayer.dll. This DLL was then distributed to SolarWinds customers via their automatic update platform used to push out new software updates. This DLL is loaded by SolarWinds.BusinessLayerHost.exe. The free SolarWinds TFTP Server does not use this update mechanism.

To date, the free TFTP server is not listed by SolarWinds as compromised. See https://www.solarwinds.com/securityadvisory for detailed information.

IOCs can be found at https://github.com/sophos-cybersecurity/solarwinds-threathunt and elsewhere.

Related

Can no longer access my Azure subscription after client adds me as admin to their account
How to configure Systemd service unit to start Node app with "npm start" instead of "app.js"
Unable to delete a subnet I created in GCP
How do I remove the VLAN ID from my NIC (Netadapter)
Is it safe to defragment a file that's being used?
NFS fails to resolve hostname
Multiple static WAN IP addresses to single LAN subnet
Server architecture for high traffic system [duplicate]
ifconfig fails because usb ethernet adapter is not ready yet on FreeBSD
500 error occurs on AI HUB in GCP while using "Open in GCP" and "Download"
Regex query - for matching everything except string
Can I create Let’s Encrypt certificate for my domain from macOS? [closed]